Professional Documents
Culture Documents
CCNP ENARSI Implementing Cisco Enterprise Advanced Routing and Services Exam 300-410
CCNP ENARSI Implementing Cisco Enterprise Advanced Routing and Services Exam 300-410
Services
Exam: 300-410
First Edition
C H A P T E R 0 1 : I N T RO D U C T I O N
Introduction
By obtaining a Cisco CCNP Enterprise (ENARSI 300-410) certification, you can
ensure that you have a firm grasp of Cisco's device design and configuration
and common industry protocols. With a large global presence, Cisco has a
significant market share of routers and switches.
You can acquire the skills required to install, administer, operate, and
troubleshoot a business network by passing the Implementing Cisco
Enterprise Advanced Routing and Services (ENARSI) exam. The advanced
routing and infrastructure technologies covered in this course go beyond the
subjects covered in the Implementing and Operating Cisco Enterprise
Network Core Technologies (ENCOR) course. This course covers the
Implementing Cisco® Enterprise Advanced Routing and Services (ENARSI)
exam and the new CCNP® Enterprise and Cisco Certified Specialist -
Enterprise Advanced Infrastructure Implementation certifications.
Networking
Computer networking is known as the process of transmitting and
exchanging data between nodes via a common medium in an information
system. A private Wide Area Network (WAN) or the internet's Local Area
Network (LAN) allows for the connection of devices and endpoints. This
function is essential for service providers, enterprises, and customers
worldwide to share resources, use or supply services, and communicate.
Networking simplifies everything, from phone conversations to text
messages to streaming video to the Internet of Things (IoT).
The design, construction, and use of a network are all parts of networking,
as are the management, operation, and maintenance of the network's
hardware, software, and protocols. The complexity of a network directly
affects the level of expertise needed to run it. For example, the
management of skilled network administrators is necessary when a major
organization has thousands of nodes and strict security requirements, such
as end-to-end encryption. In short, networking technology has changed the
world and opened up new possibilities for the overall growth of all the
world's areas.
Security
A broad notion, network security includes various tools, systems, and
procedures. In a nutshell, it is a collection of guidelines and configurations
created to safeguard the privacy, accessibility, and integrity of computer
networks and data by utilizing software and hardware technologies.
Regardless of size, sector, or architecture, every organization needs network
security solutions to safeguard it from the ever-growing environment of
online threats.
Cisco Course
With a focus on networking and communications products and services,
Cisco Systems, Inc. is a pioneer in global technology. The company's business
switching and routing products, which route data, voice, and video traffic
across networks worldwide, are presumably well recognized.
What is ENARSI?
ENARSI is a CCNP Enterprise domain "Specialist" level exam, and the
certificate launched on June 9th, 2019. It is the first ENARSI exam version to
participate in the CCNP Enterprise certification and award the applicant a
Cisco Certified Specialist – Enterprise Advanced Infrastructure
Implementation certificate.
ENARSI can be your first and best option in one of two scenarios.
If you want to dive deep into routing protocols and services based
on enterprise-level networks
If you already have a working knowledge of the old CCNP RS and
want to review related material
Why can one do CCNP-ENARSI?
This book aims to significantly raise your chances of passing the ENARSI 300-
410 exam. Even though it can be used for that purpose, this book is not
intended to be a general networking subject’s book. Although this book can
be used to accomplish other goals, its primary mission is to assist you in
passing the exam.
In light of this, why would you wish to pass the ENARSI 300-410 exam?
Because obtaining the CCNP Enterprise certification, which is no small task,
depends on passing this milestone. What would you gain personally from
earning the CCNP Enterprise certification? A pay increase, a promotion, or
acclaim? Why not improve your resume? Proving that you are serious about
learning more and are not content to sit back and take it all in? Pleasing your
reseller-employer, who needs more qualified staff to receive a greater Cisco
discount? The CCNP Enterprise certification may be something you want for
several reasons, including one of those listed above.
Benefits?
This book's core methodology is to assist you in identifying the exam topics
you need to review in more detail, and how to properly comprehend,
remember, and demonstrate to yourself that you still know the material.
This book aims to help you learn the material effectively rather than
memorize it. For a routing/switching engineer or expert to be skilled, they
must possess the knowledge covered in the ENARSI 300-410 exam, which
covers foundational topics in the CCNP certification. If this book did not try
to make you learn the subject, it would be a disservice. To that aim, the
following strategies are included in the book to assist you in passing the test:
Assisting you in identifying the test subjects you need more practice
with
Offering justifications and details to close any knowledge gaps
Providing exercises and scenarios that improve your capacity for
memory and deduction of test question answers
Offering test questions on the companion website that serve as
practice exercises for the subjects and the examination procedure
Future of CCNP-ENARSI
Only if you possess superior enterprise networking knowledge and abilities
will you be able to contribute to the dynamic technological environment of
today and the future. With your CCNP Enterprise certification, you will
access a broad range of narrowly focused skills in significant technological
areas. This illustrates the value of a Cisco certification to your career
progress. The future need for cutting-edge talents will increase due to the
organization's growing need for networking solutions. As a result, a Cisco
CCNP Enterprise certification guarantees that there are enough
professionals on hand to address this growing need. And considering the
benefits they stand to gain, no one could pass up this vital chance.
Demand in 2022
The CCNP ENARSI has significantly changed recently, yet it will still be
valuable in 2022. The CCNP ENARSI certification will be useful in 2022 since
it attests to your proficiency in managing and configuring enterprise-level
networks. Administrators who work for companies that rely on sizable,
campus-wide networks to demonstrate their knowledge and competence
will benefit from the CCNP ENARSI in 2022.
This book is intended to assist you in reaching the point where you can pass
the exam in the shortest amount of time possible, regardless of your
approach or background. For example, if you already fully comprehend IP
addressing and subnetting, there is no need for you to practice or study it.
However, many people want to review information they already know to
ensure they understand a subject. Several book features will give you the
assurance you need to believe that you already understand certain stuff and
assist you in identifying the subjects you need to learn more about.
Prerequisites
The prerequisites for this course are:
Basic knowledge of network principles
Basic understanding of LAN implementation
General knowledge of network device management
General knowledge of network device security
Understanding the basics of network automation
To assist you in completing these requirements, these Cisco courses are
advised:
Implementing and Operating Cisco Enterprise Network Core
Technologies (ENCOR) v1.0
Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0
Interconnecting Cisco Networking Devices, Part 2 (ICND2) v3.0
CHAPTER 02: L AY E R 3
T E C H N O LO G I E S
Introduction
Layer 3 includes the network's switching and routing technologies, which
establish logical paths for data transmission between network nodes.
Routing and forwarding, internetworking, addressing, packet sequencing,
congestion control, and additional error handling are among Layer 3's
primary responsibilities. Many protocols are used in Layer 3, which requires
troubleshooting if they do not work properly. Hence, in this chapter, we will
learn how to troubleshoot issues in routing protocols.
This chapter will focus on troubleshooting EIGRP for IPv4, EIGRPv6 (EIGRP
for IPv6), and named EIGRP. As OSPF can route for IPv4 and IPv6 Protocols,
this chapter will discuss troubleshooting OSPFv2 and troubleshooting
OSPFv3. OSPFv3 is designed for routing IPv6 networks. This chapter will
focus on troubleshooting OSPFv3 using classic configurations and the OSPF
address family configurations.
Additionally, this chapter will discuss the different problems you could
encounter when attempting to set up an IPv4, IPv6, and internal border
gateway protocol (iBGP) neighbor adjacency and how to recognize and fix
these problems.
The example below shows how to change R1 and R2 so that the external
OSPF routes' AD is set to 171, higher than the external EIGRP routes' AD of
170.
Each route is displayed in the routing database of router EAST without any
filtering:
Attributes
Attributes refer to BGP attributes, as BGP has a lot of attributes, and if you
have been working with BGP earlier, you surely have been in touch with
route maps many times.
Troubleshooting Loop Prevention Mechanisms
With different kinds of networks, the routing loop is a common problem.
They are created when a routing algorithm malfunctions, leading to a group
of nodes' route to a particular destination and forming a loop. The routing
loop will vanish when the new network topology is flooded to all routers
within a routing area in link state routing protocols like IS-IS or OSPF. The
loop prevention is built into the more recent distance vector protocols,
including Babel, DSDV, Eigrp, and BGP. It uses an algorithm that guarantees
that routing loops never happen, not briefly. Do not implement a novel loop
prevention method in the more ancient routing protocols like RIP. It uses
mitigation techniques like route poisoning, split horizons, route filtering, and
route tagging.
Route Tagging and Filtering
In the mesh network, the routing loop may easily happen unless a protocol
provides an inherent fix. Due to incorrect routing information circulated in a
network, the routing loop prevents some packets from being properly
routed. Then counting to infinity is a symptom of such routing loops. The use
of route tagging to prevent advertising from the routing protocol is
recommended when configuring multipoint redistribution.
Split Horizon
The routing loops pose a serious threat to distance vector protocols. One of
the characteristics of distance vector routing protocols that prevent them is
the split horizon. The router is prevented from announcing the path back
onto an interface from which it learned it.
Route Poisoning
Another technique distance vector routing protocols use to avoid routing
loops is route poisoning. A router transmits the route's advertisement with
an infinite metric when it notices that one of its directly related routes has
failed (poisoning the route). When a router receives an update, it is aware
that the route has failed and stops using it.
VRF-Lite Configuration
Consider Figure 2-18 to show a basic VRF-Lite configuration. Isolating the
voice, data, and video networks into distinct VRF instances is one of the
objectives of the network topology displayed. You will see that the
COMMON router's Fa 0/0 interface is broken up into three sub-interfaces
(Fa 0/0.2, Fa 0/0.3, and Fa 0/0.4). Following that, an 802.1Q trunk connects
the COMMON router to switch SW1. The switch port connected to each
router is part of a distinct VLAN (i.e., VOICE VLAN = 2, DATA VLAN = 3, and
VIDEO VLAN = 4), which is how Switch SW1 links to the VOICE, DATA, and
VIDEO routers.
Fast convergence times are necessary for networks that use real-time traffic,
such as VoIP. Routing protocols like OSPF or EIGRP can immediately choose
a different path after losing a neighbor, but it takes some time to figure out
what is wrong.
We can adjust timers to converge quickly; for example, OSPF can be set to
use a dead interval of just one second. The issue is that none of these
protocols were intended for sub-second failover. There is a lot of overhead
since the control plane processes hello packets and other things. BFD was
created with speed; a few interface modules or line cards can process its
packets, minimizing overhead.
Any other routing protocols are not necessary for BFD to function. Once it is
operational, protocols like OSPF, EIGRP, BGP, HSRP, MPLS LDP, etc., can be
configured to use BFD rather than their systems for link failure detection.
BFD will let the protocol know when the link breaks. How to picture this is as
follows:
Both IPv4 and IPv6 can be routed via EIGRP. This chapter's main goal is to
troubleshoot these protocols using classic and EIGRP configurations.
Classic Mode
When using the traditional EIGRP configuration mode, the majority of
settings are configured in the EIGRP process, though some options are
configured in the interface configuration sub-mode. This can make
deployment and troubleshooting more challenging because users have to
scroll back and forth between the EIGRP process and specific network
interfaces. A few examples of specialized choices include the hello
advertisement interval, split-horizon, authentication, and summary route
advertisements.
The length of time the local router will consider the neighboring router to be
a neighbor, the length of time the routers have been neighbors for, the
average amount of time the neighbors spend communicating, the number of
EIGRP packets in a queue ready to be transmitted to a neighbor, and other
information are all included in this message.
Passive Interface
All organizations must have passive interface functionality. It performs two
tasks:
ACL
Access control lists have a lot of strength; what they control in your network
will depend on how they are implemented. A neighbor relationship will not
form if an interface has an ACL applied and the ACL denies EIGRP packets.
Use the show ip interface interface_type interface_number command, as
shown in the following snippet, to see if an ACL is applied to an interface. As
you can see, interface Gig 1/0 has ACL 100 applied inbound. Use the
command show access-list 100 to confirm the ACL 100 entries.
Timer
Even though EIGRP timers are not required to synchronize, the adjacency
will flap if the timers are significantly off. Consider, for example, that R1
sends hello packets every five and fifteen seconds, whereas R2 sends them
every twenty seconds. Before receiving another hello packet from R2, R1's
hold time will have expired, ending the neighbor connection. The neighbor
relationship is established five seconds after the hello packet arrives and
lasts for 15 seconds.
Authentication
Authentication makes ensuring that your EIGRP routers only connect to
authorized routers as neighbors and that they only receive EIGRP packets
coming from authorised routers. Therefore, if authentication is used, both
routers must concur on the settings for a neighbor relationship to develop.
The spot-the-difference method can be used with authentication. An output
of the commands show run interface interface_type interface_number and
show ip eigrp interface detail interface type interface number is shown
below, indicating whether or not EIGRP authentication is enabled on the
interface. It is, as stated in the text, that has been highlighted. Remember
that the proper interface must be used for the authentication, and the
appropriate autonomous system number must be connected. It would not
be activated for the correct autonomous system if you input the wrong
number for that system.
Troubleshooting Named EIGRP Configurations (Address
Family IPv6)
To give you a single location on the local router to carry out all EIGRP for
IPv4 and IPv6 configurations, EIGRP named configurations to serve this
purpose. An example of an EIGRP configuration is given below under the
name TSHOOT EIGRP. In this EIGRP configuration, both an IPv4 and an IPv6
unicast address family are present. Although it is not necessary, they both
employ autonomous system 100.
The EIGRP for IPv4 address family and the EIGRP for IPv6 address family,
along with each autonomous system number, are both displayed by the
command show eigrp protocols. The K values, router ID, stub router status,
AD, maximum pathways, and variation are also displayed.
Troubleshooting OSPF
The Open Shortest Path First (OSPF) dynamic routing protocol is a link-state
routing protocol using Dijkstra's shortest path first (SPF) algorithm. Due to
the implementation of a hierarchical design, it is a very scalable routing
protocol. OSPF can route both the IPv4 and IPv6 protocols. This chapter
focuses on troubleshooting OSPFv2 and OSPFv3 using the older OSPF
address family configurations and the more recent ones.
Different Subnets
The router interfaces must be on the same subnet to establish an OSPF
neighbor adjacency. There are numerous ways to confirm this. The show
run interface interface_type interface_number command is the simplest
way to view the interface configuration in the running configuration.
Passive Interface
All organizations must have the passive interface feature. It performs two
tasks: 1) lessens OSPF-related network traffic; 2) increases OSPF security.
• Plain text: This is type 1 and uses clear text to send credentials
ACLs
The power of Access Control Lists (ACLs) is immense. What they control in
your network will depend on how they are implemented. A neighbor
relationship will not form if an ACL is applied to an interface and the ACL
blocks OSPF packets.
MTU Mismatch
Each router's interface forming the adjacency must have the same MTU for
OSPF routers to become neighbors and reach the full adjacency state.
Otherwise, the routers will detect one another but remain in the
exchange/start states. R1 and R2 are both stuck in the exchange state,
according to the output of the show ip ospf neighbor command.
The topology of an area is maintained in its own link state database and is
hidden from other areas, which reduces the amount of traffic routing
required by OSPF. A connecting router then shares the topology in a
summarized form between areas.
Backbone Area
The center of an OSPF network is the backbone area (Area 0). It connects to
all other areas and is the only route vehicles can use between them. The
backbone area serves as the distribution point for all routing between
regions. While all other OSPF areas must connect to the backbone area, this
connection need not be direct.
Normal OSPF Area
In a normal OSPF area, there are no restrictions; the area can carry all types
of routes.
Stub Area
A stub area does not receive routes from other autonomous systems. The
stub area is routed through the default route to the backbone area.
Totally Stubby Areas
Total stubby regions at the ABR are off-limits to Type 3 LSAs (interarea),
Type 4 LSAs (ASBR summary LSAs), and Type 5 LSAs (external routes). When
it receives a Type 3 or Type 5 LSA, an ABR of a fully stubby region constructs
a default route for the completely stubby area.
NSSA
The Not So Stubby Area (NSSA) is a type of stub area that can import
external routes, with some limited exceptions.
Network Types
Broadcast Network
Broadcast multi-access is a better term to distinguish broadcast media like
Ethernet from Non-Broadcast Multi-Access (NBMA) networks. Broadcast
networks are multi-access in the sense that they can connect more than two
devices, and broadcasts sent out to one interface can reach all interfaces on
that segment.
The Link LSA (Type 8) and the Intra Area Prefix LSA
(also known as Type 9) are two new LSA types that can
be seen in the example above and defined below.
Both of these LSAs are described below for OSPFv3.
Also, note that the Type 3 LSA (Summary LSA) is now
referred to as the Inter-Area Prefix LSA in the above
example.LSA Type Description
LSA 8: The link LSA provides information to neighbors about link-local
addresses and the IPv6 addresses associated with the link. Therefore, it is
only flooded on the local link and is not reflooded by other OSPF routers.
LSA 9: The intra-area prefix LSA provides information for two different
scenarios. First, it provides information about IPv6 address prefixes
associated with a transit network by referencing a network LSA. Then, it
provides information about IPv6 address prefixes associated with a router by
referencing a router LSA. Type 9 LSAs are flooded only within an area.
1. Intra-area
2. Interarea
3. External Type 1
4. External Type 2
Interarea Routes
The next priority when selecting a path to a network should be the way with
the lowest overall path metric to the destination. If the metrics are tied,
both routes are added to the OSPF RIB. All interarea pathways must traverse
Area 0 in order for a route to be taken into consideration. In the
accompanying image, R1 is calculating the route to R6. R1 uses the path
R1R3R5R6 since its total path metric is 35 as compared to the path
R1R2R4R6 with a metric of 40.
External Route Selection
Type 1 or Type 2 external routes are the two categories. Following are the
primary distinctions between Type 1 and Type 2 external OSPF routes:
Routes of Type 1 are preferred to those of Type 2.
The redistribution metre plus the overall path metric to the ASBR
make up the Type 1 metric. In other words, the measure rises as the
LSA spreads away from the initial ASBR.
Only the redistribution metric is equal to the Type 2 metric. The
router nearest to the ASBR and the router 30 hops away from the
originating ASBR use the same measure. This is the type of external
measure that OSPF employs by default.
Troubleshooting iBGP and eBGP
The Internet protocol's name is Border Gateway Protocol (BGP). It seeks to
facilitate routing data transfer among numerous autonomous systems
(networks under different administrative control). It is therefore categorized
as an Exterior Gateway Protocol (EGP). In contrast to Open Shortest Path
First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), or
Routing Information Protocol, it bases its best path decisions on variables
such as local preference, the length of the autonomous system path, and
even the BGP router ID (RID) (RIP). The best, most reliable, and easiest to
maintain protocol is BGP. But there is a cost associated with that.
asdot+ - The function asdot+ divides the number into two 16-bit values, low-
order and high-order, and separates them with a dot. The low-order value
can be used to represent any 2-byte ASN. ASN 65535, for example, will be
0.65535, 65536, 1.0, 65537, 1.1, and so forth. ASN 4294967296 will be
replaced by 65535.65535.
asdot - asplain and asdot+ are combined to form asdot. Any ASN in the 2-
byte range is denoted by the symbol asplain, while ASNs above this range
are denoted by asdot+. For example, 65536 will be 1.0, and 65535 will be
65535. Cisco employs this technique for implementation.
Route Refresh
The Border Gateway Protocol (BGP) Enhanced Route Refresh feature gives
BGP the ability to detect route irregularities and, in the uncommon case that
it does, synchronize BGP peers without performing a hard reset.
It is not anticipated that the peers will start acting differently toward one
another. Only in the most unlikely of circumstances may that occur; in such
case, this function aids in identifying it and synchronizing the peers without
performing a hard reset.
Assume that two peers have Enhanced Route Refresh capabilities. Then,
before and after each peer's advertisement of the Adj-RIB-Out, it will
generate a Route-Refresh Start-of-RIB (SOR) message and an EOR message,
respectively. When a BGP speaker receives an EOR message from a peer, it
deletes any routes that the peer did not re-advertise in the Route Refresh
response.
The peers were inconsistent with one another if, in the uncommon case that
the router still contained stale routes after receiving the EOR message or
after the EOR period expired. To determine whether the routes are reliable,
use this data.
Timers for BGP Enhanced Route Refresh
Messages Produced by the BGP Enhanced Route Refresh in Syslog
BGP Enhanced Route Refresh Timers
Normally, these timers do not need to be configured. You could configure
one or both timers if you notice constant route flapping to the point where a
Route Refresh EOR cannot be created.
When a router is not getting an EOR message, the first timer kicks in. The
router must transmit the EOR message according to the second timer.
After a refresh EOR, net 300:300:3.3.0.0/0 from bgp neighbor IPv4 MDT
10.0.101.1 is stale (rate-limited)
After the refresh stale-path timeout expires, Net 300:300:3.3.0.0/0 from bgp
neighbor IPv4 MDT 10.0.101.1 is stale (rate-limited)
10. Prefer the path with the lowest neighbor BGP RID
When choosing the BGP optimal path, keep in mind the above figure and the
output of show bgp ipv4 unicast 10.1.1.0 on R5.
The customer's network may use the private autonomous system numbers,
but they must not be included in the AS PATH attribute when the routes are
advertised to the Internet (global BGP table) because doing so may cause
issues on the Internet because multiple autonomous systems may share the
same private autonomous system number.
Route Reflector
All iBGP peers within an AS must be completely mesh due to the BGP split-
horizon requirement (within iBGP). While iBGP neighbors do not include
their ASN in the AS PATH when transmitting updates, eBGP neighbors use
the AS-PATH for loop avoidance. So, what method of loop prevention does
iBGP employ? Divided horizon The iBGP split-horizon rule says:
"Any routes learned from an iBGP neighbor must never be advertised to any
other iBGP neighbor."
Peer Types
There are two types of internal peers to a route reflector - Client and Non-
Client. Let us look at the differences,
For a specific BGP peer, IOS XE has four options for route filtering, either
inbound or outgoing. Each of these approaches can be used independently
or in tandem with additional approaches:
In this chapter, you will learn about different VPN technologies. Internet
Service Providers provide VPN technologies, and organizations buy those
services from their ISPs to connect their branches. Organizations mostly buy
MPLS services from their ISPs to connect their branches at different
locations.
MPLS has other benefits too. It supports many services, such as multicast
routing, unicast routing, Quality of Service (QoS), Traffic Engineering (TE),
and Virtual Private Networks. Therefore, it is preferred over traditional
routing.
MPLS LIB and LFIB
Every router has a control plane and a data plane. The Control plane acts
like a control unit and handles the processing and computing, and the Data
plane handles the actual data packets and forwards them.
The Control plane is also known as the forwarding plane. The Control plane
has Routing Information Base (RIB), and the data plane has Forwarding
Information Base (FIB). RIB and FIB are used in traditional routing, which is
IP-based, but in MPLS, something else is used.
A router creates a routing table in the control plane. The routing table has all
the routes and other related information. This routing table is part of the
Routing Information Base (RIB). Information from the RIB is used in the
Forwarding Information Base (FIB), where the packets are forwarded.
In MPLS, labels are used to identify the packets, so a Label Information Base
(LIB) is created in the control plane. LIB is equivalent to Routing Information
Base (RIB). Information from the LIB is then used in the Label Forwarding
Information Base (LFIB) to forward the data (packets). Label Forwarding
Information Base (LFIB) is equivalent to the Forwarding Information Base
(FIB).
Address Resolution Protocol (ARP) is a layer 2 protocol that helps find the
MAC address of a host when only its IP is known. Routing takes place on
layer 3, so the control plane has layer 2 and layer 3 information in a CEF-
enabled router. MPLS is configured on a CEF-enabled router and uses its
control and data planes. MPLS lies in between layer 2 and layer 3.
Label Switch Router (LSR)
An MPLS architecture consists of core Provider Routers (P) routers. MPLS is
mostly used by Internet Service Providers (ISPs). These routers provide
services to the customers through the Provider Edge Routers (PE). The
routers placed on the customers' side are known as Customer Edge Routers
(CE). Provider Routers are connected to the Provider Edge Routers, and
Provider Edge Routers are connected to the Customer Edge Routers.
In complex networks, a return path may differ from the first source to the
destination path, but it is not common. MPLS runs over an underlying
routing protocol such as OSPF or EIGRP. These routing protocols ensure
symmetric networks and forwarding paths. So, most traffic returns through
the path where they come from.
The above figure's red-dashed arrows indicate the Label-Switched Path
(LSP). LSP is inside the MPLS domain, where the packet has a label. No label
on the packet (unlabeled packet) is not on the LSP and is clearly outside the
MPLS domain.
Labels
The label is the most important thing in Multiprotocol Label Switching
(MPLS). When a packet is labeled, it is a header placed between the packet's
layer 2 frame header and layer 3 IP header. It is called a shim header that is
placed between these two headers.
MPLS label header is 32-bit (4-byte) in size and contains four fields. The first
20-bit Label Value field has the label value. The next 3-bit EXP field is used
for Quality-of-Service (QoS). The next 1-bit S field tells whether the label is
last or not in the stack because there can be multiple labels on a packet (as
in VPNs). The last 8-bit TTL field has a Time-to-Live value that decreases on
every hop till zero.
Label Distribution Protocol (LDP)
MPLS does not do all its work by itself but also needs a protocol. The MPLS
technology uses a common protocol called Label Distribution Protocol (LDP).
This protocol helps distribute/share labels between the MPLS-enabled
routers. A router uses the label information of its neighbors to populate its
LIB.
Label Switching
Label switching is adding or removing the labels to or from the packets. The
process in which a router adds the label on the packet is known as Pushing
the label. The process in which a router removes the label from the packet is
known as Popping the label. The process in which a label is replaced with
another label is known as Swapping the label.
Penultimate Hop Popping
Till now, you have learned that the last LSR in the MPLS domain pops the
label from the packet because there is no more LSR on the outgoing
interface. At last, LSR looks up its Label Forwarding Information Base when a
labeled packet is received. If there is no label-out (the label it has to push), it
looks up the Forwarding Information Base and forwards the packet without
any label to the destination. This method is not efficient.
The idea is that Customer A site 1 can exchange its local routing information
with customer A site 2, so they can communicate with each other as
needed. Due to MPLS Layer 3 VPN, Customer A, and Customer B can have
the same IP address spaces. For example, Customer A and Customer B can
use the 192.168.0.0 IP address range.
To isolate the customers (because they can be using the same IP space),
Virtual Routing and Forwarding (VRF) is used. VRF should be enabled on the
Provider Edge Router (PE) interface connected to the Customer Edge Router
(CE). CE and PE exchange their routing information by using any underlying
dynamic routing protocol such as Enhanced Interior Gateway Routing
Protocol (EIGRP), Routing Information Protocol (RIP), Open Shortest Path
First (OSPF), or Border Gateway Protocol (BGP).
RD has always used whether the customers use the same IP prefixes or not.
A Router Distinguisher value is a 64-bit value that is prepended (added at
the beginning of) to the 32-bit IP address, making it a 96-bit unique prefix
called VPNv4 address. The MP-IBGP neighboring routers then exchange this
VPNv4 address.
DMVPN
MPLS is used to connect the two private sites. If there is a need for a private
site to connect to multiple sites, MPLS service will be very costly to buy from
the service provider. Dynamic Multipoint VPN is used to connect multiple
private sites, allowing a site to connect to other sites without going through
the ISP or hub router.
The DMVPN architecture consists of a single hub, the main router, and the
spoke routers, the customers or endpoint routers. All the spokes are
connected to the hub. When a spoke wants to connect to another spoke in
the network, a tunnel is built between the spoke routers. This way, traffic
from one spoke does not go through the hub router.
Some of the benefits of using DMVPN are listed below:
GRE/mGRE
Physical networks needed a way to communicate with each other. Overlay
tunneling technologies came into existence to bridge this communication
gap. These technologies are often called overlay because they are virtual
(logical) and built over physical (underlay) networks.
Generic Routing Encapsulation (GRE) Tunnels
GRE is a tunneling protocol that provides connectivity between physical
networks and supports several network-layer protocols. It encapsulates the
data packets from one network and forwards them through the tunnel to
the connected network.
This tunnel is created over an IP-based network which is the Internet. There
were some non-routable protocols, such as Internetwork Packets Exchange
(IPX), a legacy protocol. There was a need to connect the physical networks,
and GRE was created to provide transport to this legacy and non-routable
protocol over the Internet.
NHRP
Next-Hop Resolution Protocol (NHRP) is an address resolution protocol for
the hosts or Non-Broadcast Multi-Access (NBMA) networks such as ATM and
Frame Relay. It is defined in RFC 2332. It provides a spoke router with all the
necessary information about protocols and NBMA networks to
communicate directly with another spoke router.
IPSec
IPSec stands for IP Security. It is an IETF (Internet Engineering Task Force)
standard suite of protocols between 2 communication points across the IP
network that provide data authentication, integrity, and confidentiality. It
also defines the encrypted, decrypted, and authenticated packets. IPsec
provides security services that include authentication, data confidentiality,
integrity, and anti-replay. It consists of multiple protocols and standards,
such as the Internet Security Association and Key Management Protocol
(ISAKMP).
Phase 1 Negotiations
The two VPN gateway devices exchange credentials during Phase 1
negotiations, and the devices recognize and negotiate a shared set of Phase
1 settings. The two devices will have a Phase 1 Security Association (SA)
once Phase 1 discussions are finished, and this SA is only suitable for a set
period. If the two VPN gateways do not finish Phase 2 discussions before the
Phase 1 SA expires, they will have to start over with Phase 1.
1. The devices agree to utilize the IKE version (IKEv1 or IKEv2). Each device
can use IKEv1 or IKEv2, and both devices' IKE versions must be the same.
3. The gadgets are able to identify one another. Each device provides a
Phase 1 identity, which may be an X500 name, an IP address, a domain
name, or other domain-related data. Phase 1 identities for the local and
remote devices are supplied in the VPN setup for each device, and the VPN
setups must match.
4. For Phase 1 negotiations with IKEv1, VPN gateways choose between Main
Mode and Aggressive Mode.
We advise you to use PFS in order to protect your data. If you want to
use PFS, both VPN gateways must be configured to use the same
Diffie-Hellman key groups and have PFS enabled.
2. The VPN gateways have agreed upon a Phase 2 plan. The Phase 2
proposal specifies the algorithm used to authenticate data, the
algorithm used to encrypt data, and the frequency with which new
Phase 2 encryption keys should be generated.
IPSec protects the entire IP packet, including the IP header and the payload.
It uses the entire IP packet to calculate an ESP or AH header and then
encapsulates the original IP packet and the ESP or AH header with a new IP
header.
Transport Mode
IPSec only protects the IP payload. It only uses the IP payload to calculate
the AH or ESP header and inserts the calculated header between the original
IP header and payload. If you look at ESP, an ESP trailer is also encapsulated.
The transport mode is usually used to protect communications between
hosts or between hosts and gateways.
IPsec is a collection of methods and protocols for encrypting data sent over
open networks like the internet. The IPsec protocols were created by the
Internet Engineering Task Force (IETF) in the middle of the 1990s to provide
security at the IP layer by authenticating and encrypting IP network packets.
Encapsulating Security Payload and Authentication Header were the first
two protocols introduced by IPSecurity for safeguarding IP packets. The
former provides anti-replay services and data integrity, while the latter
provides data encryption and authentication.
Authentication Header
In RFC 4302, AH is defined. Its services include data integrity and transit
security. AH was created to be put into an IP packet to add authentication
data and protect the contents from being tampered with.
Header Structure
The AH provides packet authentication and anti-replay services, an
important IPSec security mechanism. RFC 2402 defines AH, which uses IP
Protocol 51, and the AH can be used in transport or tunnel mode.
Transport mode is typically employed when the client host begins the IPSec
communication and protects upper-layer protocols and some IP header
fields. The AH is placed after the IP header and before an upper-layer
protocol (such as TCP, UDP, or ICMP) or any previously inserted IPSec
headers in transport mode.
Header Structure
The ESP header is usually put after the IP header in an IP network packet.
The sequence number, payload data, padding, next header, integrity check,
and sequenced numbers are all parts of an ESP header.
Dynamic Neighbor
Dynamic Multipoint Virtual Private Network is a dynamic protocol that
provides a VPN connection to the spoke routers. Since it is a multipoint
protocol, it connects multiple client routers. If it were a static protocol, it
would be impossible to provide a connection to the hundreds of spoke
routers.
By the time the spoke router sends the second stream of packets, the hub
has found the optimal path for the spoke-to-spoke connection. Now, this
path is used as the tunnel between the spoke routers and spoke routers use
this tunnel to communicate directly.
Mind Map
CHAPTER 04:
I N F R A S T RU C T U R E S E RV I C E S
Introduction
This chapter focuses on the various reasons for device management and
different management tools, such as console/vty access, remote transfer
tools like Trivial File Transfer Protocol (TFTP), Hypertext Transfer Protocol
(HTTP), Hypertext Transfer Protocol Secure (HTTPS), and Secure Copy
Protocol (SCP). It also discusses network management tools like Syslog,
SNMP, Cisco IP SLA, Object Tracking, NetFlow, and Flexible NetFlow.
This chapter covers the detection and repair of issues with console and vty
access, as well as with remote transfer tools. There are a number of
protocols covered, such as Telnet, SSH, TFTP, HTTP, HTTPs, and SCP. The use
of and troubleshooting for a number of management tools, such as Syslog,
SNMP, Cisco IP SLA, object tracking, NetFlow, and Flexible NetFlow, are also
covered in this chapter. Additionally, Cisco DNA Center Assurance is looked
at.
Verify that the Cisco device is using the correct IP address to source
packets to the web server. If not, the packets may be dropped by an
ACL along the way. Using the ip http client source-interface
interface-id command, you can configure the source IP address
Ensure that you choose the appropriate protocol, either HTTP or
HTTPS. Your URL should start with http if you connect to an HTTP
server, and your URL should start with HTTPS if you connect to an
HTTPS server
Use the debug ip http client all command for more assistance in
troubleshooting HTTP and HTTPS copy problems
Troubleshoot SNMP
You must be able to ping the server from the agent regardless of whether
you are using SNMPv2c or SNMPv3. The Simple Network Management
Protocol (SNMP) Network Management Server (NMS) cannot access the
data in the Management Information Base (MIB) on the agent if Layer 3
connectivity is not there. Additionally, SNMP uses UDP port 162 for traps
and informs and UDP port 161 for general messages. Therefore, SNMP
communication between the NMS and the agent is impossible if an ACL
blocks certain ports.
SNMPv2c
When troubleshooting SNMPv2c, keep the following in mind:
Make sure that community strings correspond: The read community
string or the read/write community string between the NMS and the
agent must match for the NMS to read from or write to the agent.
Ensure that servers classified by ACLs are correct: The ACL must
precisely identify the server addresses if you are using it to specify
which NMS (based on IP address) is permitted to retrieve objects
from the MIB.
Ensure the proper notification configuration: If your agent is
set up to transmit traps or informs, you should make sure
that:
Make sure traps are turned on
Verify the host (NMS) IP address is entered correctly
Make sure the right SNMP version is mentioned
Make sure the appropriate community string is provided
SNMPv3
SNMPv3 provides significant security enhancements over SNMPv2c. It
provides enhanced encryption and authentication. When troubleshooting
SNMPv3, keep the following in mind:
Nesting of users, views, and groups: Using SNMPv3, you may
construct users with authentication and encryption settings nested
into groups that specify the servers permitted to read from or write
to the objects in the MIB on the agent. SNMPv3 will not operate as
intended if the users, views, and groups are not nested.
Wrong security level specified: The three security levels that
SNMPv3 provides are noAuthNoPriv, authNoPriv, and authPriv. The
security settings selected for the group, users, and trap sending
must coincide with those employed on the server.
Incorrect encryption algorithm, hashing algorithm, or
passwords defined: The hashing algorithm and password used for
authentication must match; otherwise, the authentication will fail.
Incorrect OIDs specified in the view: The views list the MIB objects
that the NMS can access. SNMPv3 will not give the intended results
if the incorrect objects are defined.
Notification configuration: If your agent is set up to send traps or
informs, ensure that traps are enabled, the host (NMS) IP address is
correct, the SNMP version is valid, the security level is correct, and
that you specified traps or informs (default is traps).
Index shuffling: Use the snmp-server ifindex persist command,
which appears as snmp ifmib ifindex persist in the running
configuration, to stop index shuffling and ensure index persistence
during reboots or minor software upgrades
Troubleshoot Network Problems using Logging
Success depends on the integrity and safety of your network and the clients
it serves. You can remain on top of any difficulties that arise if you can
monitor your network using various tools. However, you must troubleshoot
the tools that aid in troubleshooting when the primary tools malfunction or
fail to deliver the desired outcomes.
Local Logging
Cisco IOS can store Syslog messages in the internal buffer for local logging.
These messages can be seen by using the show logging command. With this
command, you can enable internal logging and control the buffer size:
Syslog
Syslog is the industry standard for logging computer messages. It makes it
possible to divide the software that creates messages from the systems that
store them from the software that analyzes and reports them. It can be
utilized for system administration, message debugging, and security
auditing. Numerous devices, including routers and receivers across several
platforms, support Syslog. The log data from many different types of
systems are integrated into the main repository via Syslog. The Syslog packet
is in the HEADER MSG format.
Since using DHCP is the most typical method of deploying IPv4 addresses,
you must be well-versed in the DHCP procedure and be able to spot DHCP-
related problems. This section describes DHCP's functionality and focuses on
how to troubleshoot DHCP-related problems.
DHCPv4 Operations
Your router most likely receives its IP address from your service provider
using DHCP if your home has a cable modem, Digital Subscriber Line (DSL),
or fiber connection. In addition, the router serves as a DHCP server for the
devices in your house. When a PC boots up on a corporate network, it
receives its IP address configuration data from a corporate DHCP server. The
figure depicts the message exchange that occurs as a DHCP client receives IP
address information from a DHCP server (the Discover, Offer, Request,
Acknowledgment [DORA] process).
A router that does not forward broadcasts: A router does not automatically
forward broadcasts, such as DHCPDISCOVER broadcast signals. Therefore, a
router must be explicitly configured to operate as a DHCP relay agent if the
DHCP client and server are on different subnets.
The "pull" functionality of DHCP: A DHCP client asks a DHCP server for an IP
address when it needs one. After the client receives an IP address, the DHCP
server cannot start a change in the client's IP address. In other words, while
the DHCP server can transmit information changes to the DHCP client, the
DHCP client must pull information from the DHCP server.
SLAAC
Without the aid of a DHCPv6 server, SLAAC enables a device to set its own
IPv6 address, prefix, and default gateway.
Stateful DHCPv6
Except for their IPv6 address, prefix, and default gateway, a device can only
learn these things using SLAAC. The devices in a modern network could also
require data from servers supporting the Network Time Protocol (NTP),
domain names, DNS, and Trivial File Transfer Protocol (TFTP). Use a DHCPv6
server to distribute IPv6 addressing information along with all optional
information.
Stateless DHCPv6
SLAAC and DHCPv6 are combined to create stateless DHCPv6. In this
scenario, clients automatically calculate the IPv6 address, prefix, and default
gateway using a router's RA. A flag contained in the RA instructs the client to
request additional non-addressing information from a DHCPv6 server, such
as the DNS server or TFTP server address.
DHCPv6 Operation
Like IPv4, DHCPv6 uses a four-step negotiation process. But DHCPv6 uses the
subsequent messages:
Step 1: SOLICIT: A client sends this message to locate DHCPv6 servers using
the multicast address FF02::1:2, which is the address used by all DHCPv6
servers.
Step 3: REQUEST: After verifying the addresses and other parameters, the
client sends this message to the server.
Step 4: REPLY: The server completes the procedure with this message.
A complete list of DHCPv6 message types you can come across while
troubleshooting a DHCPv6 issue is provided for your reference.
CONFIRM: A client sends this message to a server to confirm that the given
address is still suitable.
RENEW: To extend the validity of the addresses assigned, a client sends this
message to the server that assigned the address.
REBIND: When a RENEW request is not answered, a client can extend the
lifetime of an issued address by sending a REBIND message to a server.
REPLY: A server delivers this message to the client with the assigned address
and configuration parameters in response to a SOLICIT, REQUEST, RENEW,
or REBIND message received from a client.
DECLINE: This message is sent by a client to a server to inform them that the
allocated address is already in use.
The components of IP SLA are an IP SLA source (which transmits the probes)
and an IP SLA responder (which replies to the probes). Both are not always
required, though. Only the IP SLA source is needed constantly. The IP SLA
responder is required when collecting extremely precise statistics for
services that are not provided by any specific destination device. The
responder can provide the source with precise measurements in response
while accounting for its probe processing time.
Statistics like delay, packet loss, jitter, packet sequence, connectivity, path,
server response time, and download time can be tracked inside the Cisco
device and saved in both CLI and SNMP MIBs, depending on the individual IP
SLAs operation. A URL web address, a VPN routing/forwarding instance
(VRF), a source and destination IP address, User Datagram Protocol
(UDP)/TCP port numbers, a Type of Service (ToS) byte (including
Differentiated Services Code Point [DSCP] and IP Prefix bits), and other
configurable IP and application layer options are all included in the packets.
Troubleshoot NetFlow
You can gain a great deal of understanding of your network traffic patterns
with Cisco IOS NetFlow. Many businesses provide NetFlow collectors,
software programs that can take the raw NetFlow data that is kept in the
local device's cache and turn it into useful graphs, charts, and tables
illuminating traffic patterns.
Traffic direction
Interface
Export destination
Export source
Version
NetFlow Version5
The most used NetFlow version5, or traditional NetFlow, supports
Autonomous System (AS) reporting and a few extra fields. When a flow
enters an interface (i.e., when it is inbound), it is calculated, and outbound
traffic is reported using inbound flows from the other interfaces. As a result,
it is generally recommended that NetFlow v5 be enabled on all of the
device's interfaces; otherwise, outbound consumption on some interfaces
might be underestimated. Most NetFlow collection and network traffic
reporting packages can easily decode the packet format because it is always
fixed and consistent.
NetFlow Version9
The Flexible NetFlow technology is known as NetFlow version 9, which is the
format for NetFlow flow records. The NetFlow Version 9 format is unique in
that it is based on templates. A flexible flow export with user-defined key
and non-key fields is provided through templates. It can keep track of
various IP packet metadata that is not feasible with traditional NetFlow. This
format offers the adaptability required to accommodate additional fields
and record kinds. Custom fields like MPLS labels, IPv6 traffic, NBAR
protocols, Multicast IP traffic, VLAN ID, and real-time media flow
performance are all supported by flexible NetFlow.
Flexible NetFlow
Flexible NetFlow elevates NetFlow by enabling you to adjust the traffic
analysis parameters to meet your unique needs. This indicates that there are
more settings to check while troubleshooting. You must be able to confirm
the flow records, flow monitors, flow exporters, and interface configurations
when troubleshooting Flexible NetFlow.
With Cisco DNA Center, the command and control center for Cisco DNA, you
can quickly configure and provision your devices in minutes. Using Artificial
Intelligence (AI) and Machine Learning (ML), you can monitor, diagnose,
optimize your network, and enhance your operational processes by
integrating third-party systems.
One element of Cisco DNA Center is Cisco DNA Center Assurance. Due to
proactive monitoring provided by Cisco DNA Center Assurance, you can
anticipate issues more immediately and gain information from clients,
network devices, network applications, and network services. You will be
able to guarantee that implemented policies and configuration changes
result in the required business outcomes, give users the experience they
want, and spend less time troubleshooting and more time innovating.
Path Trace
Path Trace is the next DNA Center Assurance troubleshooting tool that will
simplify your life. This functionality is the ping and traceroute you have
always wanted. With Path Trace, you can visually view the route that
programs and services running on a client will travel across every network
device to get where they are going (a server, for example). You can use this
application to quickly complete several troubleshooting activities that would
take you five to ten minutes to complete at the command line.
Device: Used to identify problems with the device, including CPU, RAM, fans,
and other components.
You will learn about Control Plane Policing troubleshooting, which looks at
CoPP and the factors you should consider when troubleshooting CoPP-
related problems. At last, there is the IPv6 First Hop Security section, which
goes over security measures for the IPv6 First Hop, including source guard,
ND inspection/snooping, RA guard, and DHCP guard.
The router can be set up using the local AAA server capabilities so that the
user authentication and authorization attribute now available on the AAA
servers are also available locally on the router. An attribute, such as a
subscriber profile or user database, might supplement the current
architecture. A local AAA server provides access to the entire dictionary of
attributes supported by Cisco IOS. For several functions, the local database
could be the fallback option.
The first three octets of the provided IP address, in this case, 192.168.1,
must match according to the mask address 0.0.0.255 to allow IP traffic. The
router can ignore the last octet of the filtered IP address if it contains the
value 255.
Because every access list has an implicit deny any at the end, if you add an
access list to an interface without at least one permit statement, the
interface will be essentially shut off.
RTA(config)#line vty 0 4
RTA(config-line)#access-class 1 in
Standard ACLs:
Standard ACLs regulate traffic by comparing IP packet source addresses to
the addresses specified in the ACL.
{host|source source-wildcard|any}
Extended ACLs:
Extended ACLs regulate traffic by comparing the IP packets' source and
destination addresses to those specified in the ACL. The access-list-number
in any software release might range from 100 to 199. Extended ACLs start
using different numbers in Cisco IOS Software Release 12.0.1. (2000 to
2699). Expanded IP ACLs is the name given to these extra numbers.
ip access-group 100 in
The access list is applied to the interface fe 0/0 by the command "ip access-
group 100 in," as you can see.
IP Named ACLs:
Names will be used in place of numbers to identify the standard and
extended ACLs.
Time-Based ACLs:
With the ability to control access based on time and date, time-based ACLs
offer the granular execution of security policies. They obtain the time from
the router's system clock; therefore, the Network Time Protocol (NTP)
configuration is necessary to guarantee accurate time. In particular, the
Cisco router needs to be set up to synchronize with the NTP server, which
gives it accurate time, ensuring that the time-based ACLs you defined take
effect as scheduled.
After entering this command, you enter ACL sub-configuration mode, where
you can choose a one-time-only (absolute) or recurring (periodic) kind of
time range.
Periodic: The word periodic designates a recurring time frame for which the
time range is appropriate.
The time range parameter must be included in the ACL statement to activate
the time ranges you have created:
Three different operating modes for uRPF are strict, loose, and Virtual
Routing and Forwarding (VRF). You can identify if a packet is valid or invalid
depending on the mode you select:
Strict: In strict mode, the router examines the packet's source IP
address and records the ingress interface. It next scans the routing
table to find the interface (other than a default route) that would be
used to connect to the packet's source IP address. The packet is valid
and forwarded if the interface is the exact same interface on which
it was received and is not the default route. The packet is dropped if
the interface is a different interface
Loose: In loose mode, the router just looks at the packet's source IP
address. The next step is checking the routing table to see whether
an interface (other than a default route) can connect to the packet's
reported source IP address. The packet is forwarded if there is one
and it is not the default route. Otherwise, the packet gets thrown
away
VRF: The sole difference between VRF and loose mode is that only
interfaces that are part of the same VRF as the interface on which
the packet was received are examined.
Troubleshooting Control Plane Policing (CoPP)
CoPP changes depending on the platform and IOS version. The following
actions must be taken when configuring CoPP:
To identify the traffic, create ACLs
To define a traffic class, create class maps
To specify a service policy, create policy maps
To the control plane, apply the service policy
You should keep an eye out for problems with the application of the service
policy, the class maps, the policy maps, and the ACLs when troubleshooting.
1. Creating ACLs to Identify the Traffic
With CoPP, ACLs are utilized to identify traffic. The traffic becomes the
target of the policy action after it has been matched. As the basis or critical
component of CoPP, defining the ACLs is the most crucial phase in the CoPP
process. The traffic will not match if the ACL is incorrectly formed, so the
policies will not be correctly implemented.
You could assume that the first "hop" refers to the first router, but that is
not the case. These functions pertain to switches, specifically the switch
positioned between your endpoints and the first router.
Networks are safeguarded by the Cisco IPv6 First Hop Security (FHS)
solution, which reduces these threats and configuration problems. It solves
vulnerabilities in IPv6 link operations and scalability problems in large Layer2
domains. You get a powerful defense against attack methods and easily
accessible tools that exploit weaknesses.
DHCPv6 Guard
Dynamic Host Configuration Protocol (DHCP) snooping for IPv4 is a feature
quite similar to DHCPv6 Guard. It is designed to ensure that malicious
DHCPv6 servers cannot assign addresses to clients, reroute client traffic, or
starve the DHCPv6 server and launch a Denial-of-Service attack. When it
comes to IPv6, DHCPv6 Guard can prevent replies and advertisement
messages sent by unapproved DHCPv6 servers and relay agents. On an
interface-by-interface basis, DHCPv6 Guard is enabled by applying the policy
to the interface with the ipv6 dhcp guard attach-policy [policy-name [vlan
add | except | none | remove | all vlan [vlan1, vlan2, vlan3...]] command.
A policy must be set up in DHCP Guard configuration mode for DHCPv6
Guard to function.
Binding Table
The IPv6 neighbors connected to a device are listed in the binding table
database. It includes details like the prefix binding, IPv4 or IPv6 address, and
link-layer address. The data in this table is used by other IPv6 First-Hop
Security features to prevent spying and redirect attacks.
IPv6 Neighbor Discovery Inspection/IPv6 Snooping
The binding table for stateless autoconfiguration addresses is learned and
populated via the IPv6 neighbor discovery inspection/snooping capability. As
it examines ND (Neighbor Discovery) messages, it adds any valid bindings to
the binding table and discards any messages that do not have valid bindings.
A message with a confirmed IPv6-to-MAC mapping is considered a valid ND
message.
Source Guard
A Layer 2 snooping interface feature called IPv6 Source Guard is used to
confirm the source of IPv6 traffic. IPv6 Source Guard can block traffic from
unidentified sources when it arrives on an interface. A source must be listed
in the binding table for traffic to come from that source, and the source is
identified and added to the binding table either by ND inspection or IPv6
address gleaning.
Mind Map